Scott A.McIntyre wrote: > It appears as though there's a high degree of randomness to the > destination IP addresses that are chosen by the worm as can be seen > from this 1 second snapshot: The scanning pattern *is* random, though with a twist. It uses the rand() function twice to create a random IP address, but this function only has 15 bits of pseudorandomness. The upshot is that the second and fourth octets of the IP address will always be in the range 0..127. So my IP at home (64.170.X.X) won't ever get any hits. Steve -- Stephen J Friedl • Software Consultant • Tustin, CA • +1 714 544-6561 www.unixwiz.net • I speak for me only • KA8CMY • steveat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:18:27 PST